CrbonFree Shopify App Privacy Policy

This Privacy Policy (the "Policy") explains how Crbon Labs Inc. ("CrbonFree," "we," "us," or "our") collects, uses, discloses, and protects personal information in connection with the CrbonFree Shopify App, our related websites, and customer support channels (collectively, the "Services"). This Policy covers personal information about merchants, their staff users, and, where applicable, end customers whose personal information we process on behalf of merchants through Shopify.

"Personal information" means information that identifies, relates to, describes, or can reasonably be linked to an identified or identifiable individual (this includes "personal data" under GDPR and UK GDPR). "Sensitive personal information" includes data such as precise geolocation, financial account numbers, government IDs, and children's data, as defined by applicable law.

For merchant account data (for example contact, billing, and support information), CrbonFree is a controller (PIPEDA: organization; CPRA: business). For customer data that merchants send to or retrieve through the App from Shopify, CrbonFree acts as a processor or service provider handling data on behalf of the merchant, and only according to the merchant's instructions and Shopify's requirements.

We collect personal information from the following categories, depending on how you use the Services:

• Identifiers: name, email address, phone number, merchant or store URL, Shopify merchant ID.
• Commercial information: subscription tier, in-app transactions, invoices, order metadata received via Shopify APIs or webhooks.
• Internet or technical information: IP address, device and browser type, app logs, usage events, crash reports.
• Financial or billing: limited payment details such as billing address and transaction IDs processed by our payments provider; we do not store full card numbers.
• Professional information: role, permissions, and users authorized within the merchant account.
• Inferences: product usage trends used to improve the Services in aggregated or de-identified form.

We may receive personal information from these sources:

• Directly from you.
• Automatically through the App.
• From Shopify via APIs, webhooks, and permissions that you authorize.
• From service providers such as analytics, payments, and hosting partners consistent with this Policy.

• Provide and operate the App and the features you request.
• Authenticate users, secure accounts, and prevent fraud or misuse.
• Process payments and manage subscriptions and billing.
• Provide support, troubleshoot issues, and respond to inquiries.
• Analyze usage to maintain and improve performance and reliability.
• Send service notices and, with consent or as permitted by law, send product updates and marketing that you can opt out of at any time.
• Comply with legal obligations and enforce agreements.

We do not intentionally collect sensitive personal information. If we must process such data to provide a requested feature, we will limit our use to the purposes reasonably necessary and obtain any required consent.

We do not sell personal information and do not share it for cross-context behavioral or targeted advertising as those terms are defined under applicable United States state privacy laws. We honor applicable universal opt-out preference signals such as Global Privacy Control (GPC).

The App and our sites may use necessary cookies for authentication and security and may use analytics technologies to understand feature adoption. Where required, we will obtain consent and provide controls to manage non-essential cookies.

We retain personal information only for as long as needed for the purposes described in this Policy or as required by law. Typical retention periods include:

• Merchant account and billing: Account management, invoicing, and support data are kept for the life of the account plus up to seven years for tax and record-keeping.
• App logs and analytics: Security, debugging, and performance data are retained for approximately 90 days for logs and up to 24 months for aggregated analytics.
• Customer data processed on behalf of merchants: Retained as configured by the merchant or according to Shopify webhook events, including uninstall notifications.

We disclose personal information to service providers (for example hosting, cloud infrastructure, analytics, payments, email delivery, and customer support) under contracts that restrict use to our instructions and require appropriate safeguards. We may also disclose information to comply with law or legal process, to protect the rights, safety, and property of CrbonFree, you, or others, or in connection with a corporate transaction such as a merger, financing, or acquisition. We do not sell personal information.

CrbonFree integrates with Shopify and adheres to Shopify's mandatory compliance webhooks for access, erasure, and uninstall events. We only request the minimum permissions necessary for the App to function. When uninstall occurs, we receive an uninstall webhook and delete or de-identify merchant data not required for legal obligations.

Examples of data subject request webhooks processed through Shopify include:

• Customers Data Request (access).
• Customers Redact (erasure).
• Shop Redact (uninstall or account closure).

We and our service providers may process personal information in Canada, the United States, or other countries. We implement contractual and organizational safeguards for cross-border transfers, including data processing agreements and standard contractual clauses where required.

We employ administrative, technical, and physical safeguards to protect personal information, including access controls, encryption in transit and at rest where appropriate, segmentation, and vulnerability management. No method of transmission or storage is completely secure.

Depending on your location, you may have rights to access, correct, delete, port, or restrict and opt out of certain processing. To exercise rights, contact us using the details below or submit requests through in-app controls where available. We will verify your request, including authorized agent requests, and respond within timelines required by law.

Canada (PIPEDA): Right to access or correct personal information and challenge compliance. Quebec (Law 25): enhanced consent, privacy impact assessments, designated privacy officer, notice of automated decision-making and profiling, and breach notification obligations. United States (including California CPRA, Colorado, and Connecticut): rights to know, access, correct, delete, opt out of sale, share, or targeted advertising, and limit the use of sensitive personal information.

Our Services are not directed to children. We do not knowingly collect personal information from children under 13 (COPPA). For Quebec residents, parental or guardian consent is required for children under 14. If you believe a child provided data, contact us so we can delete it.

We do not make decisions with legal or similarly significant effects solely using automated processing. If we introduce such features, we will provide required notices and choices.

You can opt out of marketing emails at any time by using the unsubscribe link or contacting us. We may still send transactional or service-related messages.

We may update this Policy to reflect changes in technology, laws, or our practices. If changes are material, we will provide prominent notice (for example within the App or by email) before they take effect.

Crbon Labs Inc.
Attn: Privacy Officer
Suite 610, 211-11th Ave SW
Calgary, AB T2R 0C6
Email: privacy@crbonlabs.com

Canada: You may also contact the Office of the Privacy Commissioner of Canada at www.priv.gc.ca or, in Quebec, the Commission d'acces a l'information at www.cai.gouv.qc.ca. United States: California residents may contact the California Privacy Protection Agency at www.cppa.ca.gov or the California Attorney General at oag.ca.gov/privacy.